From 524417af143b8f5247d37c24e2ba79458e8e0092 Mon Sep 17 00:00:00 2001
From: pyllyukko <pyllyukko@maimed.org>
Date: Wed, 22 Nov 2023 09:13:10 +0200
Subject: [PATCH] Blacklist malware_PlugX_config YARA rule

False positive:

malware_PlugX_config /usr/lib64/libmariadbd.so.19
0x61ba36:$v2b: 68 A0 02 00 00
0x626276:$v2f: 68 24 0D 00 00
0x61ba36:$v2g: 68 A0 02 00 00
0x623e76:$v2h: 68 E4 0A 00 00
0xd2bcc9:$enc3: B8 33 33 33 33
0xd51037:$enc3: BA 33 33 33 33
0xd512af:$enc3: BA 33 33 33 33
0xd6d909:$enc3: B8 33 33 33 33
0xd92cf9:$enc3: BF 33 33 33 33
0xd92e63:$enc3: BF 33 33 33 33
0xcd6f0b:$enc4: BE 44 44 44 44

621c2d446f06b654ee0a2e8c6057a3913ddfbc7d64a747b355106b21dad778115417ad86ac193a39beb604fb19e14e1782536c3ec3985cc70777552a2ce9d221  /usr/lib64/libmariadbd.so.19
---
 tasks/clamav.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/clamav.yml b/tasks/clamav.yml
index f00ea99..0fde7b7 100644
--- a/tasks/clamav.yml
+++ b/tasks/clamav.yml
@@ -216,6 +216,7 @@
           CS_encrypted_beacon_x86
           malware_shellcode_hash
           Windows_Trojan_BloodAlchemy_de591c5a
+          malware_PlugX_config
       tags:
         - configuration
         - yara